Step 2: Configure your HP-UX machine to authenticate using PAM Kerberos.

The PAM Kerberos Release Note contains detailed information on how to configure a HP-UX machine to use PAM Kerberos and use Windows 2000 as the KDC. Here is the brief description of the task.

Create /etc/krb5.conf:

/etc/krb5.conf is the Kerberos configuration file which specifies the default realm, the location of a KDC server and the log file names. The Kerberos client depends on the configuration to locate the realm’s KDC. The following is an example of /etc/krb5.conf which has the realm LA.CAL.COM, and machine myhost.la.cal.com as KDC:

[libdefaults]

default_realm = LA.CAL.COM

default_tgs_enctypes = DES-CBC-CRC default_tkt_enctypes = DES-CBC-CRC ccache_type = 2

[realms] LA.CAL.COM = {

kdc = MYHOST.LA.CAL.COM:88

kpasswd_server = MYHOST.LA.CAL.COM:464

}

[domain_realm]

.la.cal.com = LA.CAL.COM

[logging]

kdc = FILE:/var/log/krb5kdc.log

admin_server = FILE:/var/log/kadmin.log default = FILE:/var/log/krb5lib.log

The permission of /etc/krb5.conf should be 644 and owned by root.

Add the Kerberos services to /etc/services:

The /etc/services file needs to contain Kerberos services. If your /etc/services is from the HP-UX 11.00 release, the Kerberos will already exist. If your /etc/services doesn’t have Kerberos services, add the following:

kerberos

88/udp

kdc

# Kerberos v5 kdc

kerberos

88/tcp

kdc

# Kerberos V5 kdc

klogin

543/tcp

 

# Kerberos rlogin -kfall

kshell

544/tcp

cmd

# Kerberos remote shell

kerberos-adm

464/udp

 

# Kerberos 5 password change protocol

kerberos-adm

464/tcp

 

# Kerberos 5 password change protocol

kerberos-adm

749/udp

 

# Kerberos 5 admin/changepw

kerberos-adm

749/tcp

 

# Kerberos 5 admin/changepw

krb5_prop

754/tcp

 

# Kerberos slave propagation

eklogin

2105/tcp

 

# Kerberos encrypted rlogin

krb524

4444/tcp

 

# Kerberos 5 to 4 ticket translator

Add a host key to the /etc/krb5.keytab file:

14